inferring bgp blackholing in the internet
play

Inferring BGP Blackholing in the Internet Vasileios Giotsas, - PowerPoint PPT Presentation

Mar 27, 2023 •399 likes •956 views

Inferring BGP Blackholing in the Internet Vasileios Giotsas, Georgios Smaragdakis, Christoph Dietzel, Philipp Richter, Anja Feldmann, and Arthur Berger TU Berlin CAIDA MIT DE-CIX Akamai DDoS A&acks are a Serious Threat 2 AS1

  1. Inferring BGP Blackholing in the Internet Vasileios Giotsas, Georgios Smaragdakis, Christoph Dietzel, Philipp Richter, Anja Feldmann, and Arthur Berger TU Berlin CAIDA MIT DE-CIX Akamai

  2. DDoS A&acks are a Serious Threat 2

  3. AS1 172.18.192.1 AS4 AS3 Server AS2 3

  4. Networks under A&ack AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 4

  5. Blackholing AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 5

  6. BGP Blackholing AS1 BGP 172.18.192.1 AS4 AS3 AQack Target Server AS2 6

  7. BGP Blackholing AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 7

  8. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing AcEvity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 8

  9. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing AcEvity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 9

  10. BGP Blackholing in the Internet AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 10

  11. BGP Blackholing in the Internet AS3:666 Blackholing Community 172.18.192.1/32 Community = AS3:666 AS1 172.18.192.1 AS4 172.18.192.1/32 AS3 AQack Blackholed Target Prefix Server AS2 RFC1997, RFC5635, RFC7999 11

  12. BGP Blackholing in the Internet AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 RFC1997, RFC5635, RFC7999 12

  13. BGP Blackholing in the Internet 172.18.192.1/32 Community = AS3:666 AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 RFC1997, RFC5635, RFC7999 13

  14. BGP Blackholing in the Internet AS1 172.18.192.1 AS4 AS3 AQack Target Server AS2 RFC1997, RFC5635, RFC7999 14

  15. Terminology 172.18.192.1/32 Community = AS3:666 AS1 172.18.192.1 AS4 AS3 Blackholing Blackholing User Provider AS4 AQack AS3 Target Server AS2 15

  16. BGP Blackholing in an IXP member AS1 Route Server member AS2 172.18.192.1 member AS4 member AS3 AQack Target IXP Server 16

  17. BGP Blackholing in an IXP member AS1 172.18.192.1/32 Route Server Community = IXP:666 member AS2 172.18.192.1 member AS4 member AS3 AQack Target IXP Server 17

  18. BGP Blackholing in an IXP 172.18.192.1/32 Next hop: 80.81.192.66 (blackhole) member AS1 Community = IXP:666 Route Server member AS2 172.18.192.1 member AS4 member AS3 AQack Target IXP Server 18

  19. BGP Blackholing in an IXP member AS1 Route Server member AS2 172.18.192.1 member AS4 member AS3 AQack Target IXP Server 19

  20. BGP Blackholing in an IXP member AS1 Route Server member AS2 172.18.192.1 IXP Blackholing Provider member AS4 member AS3 AQack AS4 Target IXP Blackholing Server User 20

  21. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing AcEvity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 21

  22. BGP Blackhole Community DicEonary • BGP CommuniEes are standardized • We mine Internet Registries, NOC webpages etc. for keywords like “blackhole”, “null route” using Natural Language Processing Level3 DE-CIX 22

  23. Methodology BGP 172.18.192.1/32 Collector AS3 AS1 Community = AS3:666 AS1 172.18.192.1 AS4 AQack AS3 Target Server AS2 23

  24. Methodology Starts at t 0 : A|172.18.192.1/32| BGP provider:AS3|user:AS4|communiaes Collector AS1 172.18.192.1 AS4 AQack AS3 Target Server AS2 24

  25. Methodology Starts at t 0 : A|172.18.192.1/32| BGP provider:AS3|user:AS4|communiaes Collector Ends at t 1 : W|172.18.192.1/32 AS1 172.18.192.1/32 172.18.192.1 AS4 AQack AS3 Target Server AS2 25

  26. Methodology Starts at t 0 : A|172.18.192.1/32| BGP provider:AS3|user:AS4|communiaes Collector Ends at t 1 : W|172.18.192.1/32 AS1 172.18.192.1 AS4 AQack AS3 Target Server AS2 26

  27. Methodology Starts at t 0 : A|172.18.192.1/32| BGP t 3 : A|151.18.192.1/32|provider: AS13|user: AS9|communiaes provider:AS3| user:AS4|communiaes Collector t 4 : W|151.18.192.1/32 Ends at t 1 : W|172.18.192.1/32 AS1 172.18.192.1 AS4 AS3 t 7 : A|125.20.191.1/32|provider: AQack AS3 AS30| user: AS11|communiaes t 8 : W|125.20.191.1/32 Target Server AS2 27

  28. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing Acavity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 28

  29. BGP Datasets Source #IP peers #AS peers RIPE 425 313 Route Views 269 197 PCH 8,897 1,721 CDN 3,349 1,282 Total 12,940 2,798 CDN and PCH infer 3x more blackholed prefixes than RIPE and Route Views 29

  30. The Rise of BGP Blackholing 2.5x 30

  31. The Rise of BGP Blackholing 4x 31

  32. The Rise of BGP Blackholing 6x 32

  33. The Rise of BGP Blackholing Mirai 33

  34. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing AcEvity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 34

  35. BGP Blackholing Inference StaEsEcs 35

  36. BGP Blackholing PropagaEon 172.18.192.1/32 AS1 172.18.192.1/32 Community = AS3:666 Community = AS3:666 172.18.192.1 BGP Collector AS4 AS3 BGP AQack AS120 Collector Target Server AS130 AS140 36

  37. BGP Blackholing Inference StaEsEcs Due to Blackholing Propagaaon 37

  38. BGP Blackhole Bundling BGP 172.18.192.1/32 Collector Community = AS3:666, AS20:666, AS30:99, AS40:66 AS1 172.18.192.1 AS4 AS3 AQack AS20 Target Server AS30 AS40 38

  39. BGP Blackholing Inference StaEsEcs Due to Blackholing Bundling 39

  40. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing AcEvity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 40

  41. BGP Blackholing Efficacy: AcEve Measurements AS1 172.18.192.1 AS4 AS3 AQack Target Server 41

  42. BGP Blackholing Efficacy: AcEve Measurements AS1 172.18.192.1 AS4 AS3 AQack Target Server 42

  43. BGP Blackholing Efficacy: AcEve Measurements AS1 172.18.192.1 AS4 AS3 AQack Target Server 43

  44. BGP Blackholing Efficacy: AcEve Measurements Reducaon by 5 IP hops (on average) 44

  45. BGP Blackholing Efficacy: AcEve Measurements Reducaon by 3 AS hops (on average) 45

  46. Agenda • BGP Blackholing in Detail • Inference Methodology for BGP Blackholing • Trends in BGP Blackholing AcEvity • Visibility of BGP Blackholing • BGP Blackholing Network Efficacy • Profile of BGP Blackholing Adopters 46

  47. Popularity of Blackholing Providers 47

  48. Popularity of Blackholing Providers 48

  49. Popularity of Blackholing Users 49

  50. Popularity of Blackholing Users 43% of bh prefixes belong to content providers/hosters 50

  51. Profile of Blackholed Prefixes 50% 40% 30% 20% 10% 0 • Open ports in hosts in 60% of the blackholed prefixes • In many cases default hosEng so`ware configuraEons • Serve ephemeral or low-ranked domains 51

  52. BGP Blackholing DuraEon 52

  53. Conclusion • The first Internet-wide study on the AdopEon and State of BGP Blackholing • Methodology to infer Blackholing acEvity from BGP data • BGP Blackholing on the rise in all three metrics (Providers, Users, Prefixes) • BGP Blackholing is EffecEve in dropping traffic early • Profile of Blackholed adopters and Insights on Usage 53

  54. Thank you! 54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies Internet Routing Policies Feng Wang Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts, Amherst MA 01002, USA 1

450 views • 18 slides
Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply

Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply

Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply keybase.io/admrply Who am I? 3nd year Ethical Hacking student at Abertay. Does web things. Artist/Musician. Building and Breaking IoT. What is BGP

334 views • 29 slides
A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019

A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019

A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019 University of Strasbourg AS 20 AS 10 AS 30 P: 192.0.2.0/24 BGP Blackholing Blackholing is a DDoS mitigation technique signaled via BGP 1 . 1

1.19k views • 93 slides
Inferring Internet Inferring Internet Denial- -of of- -Service Activity Service Activity

Inferring Internet Inferring Internet Denial- -of of- -Service Activity Service Activity

Inferring Internet Inferring Internet Denial- -of of- -Service Activity Service Activity Denial Geoffrey M. Voelker Geoffrey M. Voelker University of California, San Diego University of California, San Diego Joint work with David Moore

369 views • 32 slides
Measuring and Inferring Weather's Effect on Residential Internet Infrastructure Ramakrishna

Measuring and Inferring Weather's Effect on Residential Internet Infrastructure Ramakrishna

Measuring and Inferring Weather's Effect on Residential Internet Infrastructure Ramakrishna Padmanabhan, Aaron Schulman, Ramakrishnan Sundara Raman, Reethika Ramesh, Dave Levin, Neil Spring 1 Residential Internet infrastructure is

369 views • 23 slides
Inferring Autonomous System Relationships in the Internet Lixin Gao Motivation Routing

Inferring Autonomous System Relationships in the Internet Lixin Gao Motivation Routing

Inferring Autonomous System Relationships in the Internet Lixin Gao Motivation Routing policies are constrained by the contractual commercial agreements between administrative domains For example : AS sets policy so that it does not

558 views • 23 slides
CHALLENGES IN INFERRING INTERNET CONGESTION USING THROUGHPUT TESTS Amogh Dhamdhere

CHALLENGES IN INFERRING INTERNET CONGESTION USING THROUGHPUT TESTS Amogh Dhamdhere

CHALLENGES IN INFERRING INTERNET CONGESTION USING THROUGHPUT TESTS Amogh Dhamdhere amogh@caida.org with Srikanth Sundaresan (Princeton) Danny Lee (Georgia Tech) Xiaohong Deng, Yun Feng (UNSW) 1 w w w . cai da. or In the Press

570 views • 54 slides
Inferring Internet Server IPv4 and IPv6 Address Relationships Robert Beverly, Arthur Berger ,

Inferring Internet Server IPv4 and IPv6 Address Relationships Robert Beverly, Arthur Berger ,

Inferring Internet Server IPv4 and IPv6 Address Relationships Robert Beverly, Arthur Berger , Nicholas Weaver , Larry Campbell Naval Postgraduate School Akamai ICSI/UCSD rbeverly@nps.edu, awberger@mit.edu February 7, 2013

323 views • 19 slides
Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey

Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey

Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey M. Voelker Alex C. Snoeren On account compromise Compromise of email/social network/etc is devastating Personal/professional reputational, financial

798 views • 49 slides
Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin

Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin

Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin Nawrocki, Jeremias Blendin, Christoph Dietzel, Thomas C. Schmidt, Matthias Whlisch Christmas is near!

1.15k views • 80 slides
A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras (UTwente) Alberto Dainotti (CAIDA / UC San Diego) Anna Sperotto (UTwente) Denial-of-Service attacks A conceptually simple, yet effective class of

750 views • 33 slides
The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly and Steve Bauer {rbeverly,bauer}@mit.edu The Spoofer Project Goal: Quantify the extent and nature of source address filtering on the

421 views • 31 slides
Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias

Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias

Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias Wichtlhuber*, Georgios Smaragdakis , Anja Feldmann TU Berlin, *DE-CIX, MPI Volumetric DDoS Attacks ? Tbps 1.7 Tbps 1 Tbps 200 Gbps 15

571 views • 22 slides
No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your favourite team? Do you use the internet to watch music videos? Do you use the Internet to read the news? Do you use the Internet to play games? Shared

997 views • 51 slides
TouchLogger: Inferring Keystrokes on Touch Screen from

TouchLogger: Inferring Keystrokes on Touch Screen from

TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Mo:on Liang Cai and Hao Chen UC Davis Security Problems on Smartphones Old

264 views • 15 slides
The Challenge of Cultural The Challenge of Cultural Modeling for Inferring Modeling for

The Challenge of Cultural The Challenge of Cultural Modeling for Inferring Modeling for

WI/IAT Joint Keynote, Silicon Valley, USA, 2007 The Challenge of Cultural The Challenge of Cultural Modeling for Inferring Modeling for Inferring Intentions and Behavior Intentions and Behavior Eugene Santos Jr. Eugene Santos Jr. Thayer

809 views • 55 slides
802.15.3c millimeter-wave WPANs: PHY and MAC. In 6th Conference on Wireless Advanced 2010 (WiAD),

802.15.3c millimeter-wave WPANs: PHY and MAC. In 6th Conference on Wireless Advanced 2010 (WiAD),

Zhu, X., Doufexi, A., & Koak, T. (2010). On the performance of IEEE 802.15.3c millimeter-wave WPANs: PHY and MAC. In 6th Conference on Wireless Advanced 2010 (WiAD), London, UK (pp. 1 - 6). Institute of Electrical and Electronics Engineers

691 views • 19 slides
Robust SuperPoll Protocol for IEEE 802.11 Wireless LANs By Aura Ganz*, Anan Phonphoem*, and Zvi

Robust SuperPoll Protocol for IEEE 802.11 Wireless LANs By Aura Ganz*, Anan Phonphoem*, and Zvi

Robust SuperPoll Protocol for IEEE 802.11 Wireless LANs By Aura Ganz*, Anan Phonphoem*, and Zvi Ganz** * ECE Department, University of Massachusetts, Amherst ** AIM Engineering Inc. 1 Presentation Outline IEEE 802.11 PCF Single

137 views • 11 slides
CS-522 (Modelling and Simulation) Project Statechart Modelling of TCP protocol Shah Asaduzzaman

CS-522 (Modelling and Simulation) Project Statechart Modelling of TCP protocol Shah Asaduzzaman

CS-522 (Modelling and Simulation) Project Statechart Modelling of TCP protocol Shah Asaduzzaman Zaki Hasnain Patel The total system Client Data Server Application Generator Application Data packet Data Buffer Data Channel (C-to-S) TCP

116 views • 11 slides
Multipath QUIC: Design and Evaluation Quentin De Coninck , Olivier Bonaventure

Multipath QUIC: Design and Evaluation Quentin De Coninck , Olivier Bonaventure

Multipath QUIC: Design and Evaluation Quentin De Coninck , Olivier Bonaventure quentin.deconinck@uclouvain.be multipath-quic.org QUIC = Quick UDP Internet Connection TCP/TLS1.3 atop UDP Stream multiplexing HTTP/2 use case 0-RTT

690 views • 56 slides
JACK CINCINNATI CASINO TRANSACTION OVERVIEW APRIL 5, 2019 DISCLAIMERS Forward-Looking

JACK CINCINNATI CASINO TRANSACTION OVERVIEW APRIL 5, 2019 DISCLAIMERS Forward-Looking

JACK CINCINNATI CASINO TRANSACTION OVERVIEW APRIL 5, 2019 DISCLAIMERS Forward-Looking Statements This presentation contains forward-looking statements within the meaning of the federal securities laws. You can identify these statements by our

110 views • 9 slides
OMNeT++ Community Summit, 2016 An outline of the new IEEE 802.11 model in the INET framework

OMNeT++ Community Summit, 2016 An outline of the new IEEE 802.11 model in the INET framework

OMNeT++ Community Summit, 2016 An outline of the new IEEE 802.11 model in the INET framework Brno University of Technology Czech Republic September 15-16, 2016 Levente Mszros Quick Recap The old model was a dead end Design

520 views • 37 slides
What are the three questions my audience would ask me? Coding standards XDebug Customize: Color

What are the three questions my audience would ask me? Coding standards XDebug Customize: Color

What are the three questions my audience would ask me? Coding standards XDebug Customize: Color Schemes How to use: tabs Plugins: ctrlp leader-fef Adding things to your .vimrc.after http://drupal.org/node/29325

147 views • 3 slides
Jack Creek Park Capital Improvement Project Public Information Meeting October 2, 2017

Jack Creek Park Capital Improvement Project Public Information Meeting October 2, 2017

Jack Creek Park Capital Improvement Project Public Information Meeting October 2, 2017 Consultants & Designers, Inc. Integrating Engineering and Environment 7455 New Ridge Road, Suite T Phone: (410) 694-9401 Hanover, Maryland

374 views • 25 slides

More recommend